All things Exchange Antispam, Email Routing and POP Connectors

Menu

Spammers can sometimes forge the “From” address on mail messages so the spam appears to come from a user in your domain. To help prevent this sort of abuse, Hexamail supports DMARC, which gives domain owners more control over what recipient domains do with spam emails from your domain. Hexamail software allows you to follow the DMARC.org standard and decide how recipient domains treat unauthenticated emails coming from your domain. You can publish a policy telling recipient domains and other participating email providers how to handle unauthenticated messages sent from your domain. By defining a policy, you can help combat phishing to protect users and your reputation.

Let’s break the guide into some easy steps:

To add DMARC support to Exchange 2k – Exchange 2016 you need to do the following:

Configure an Outbound Send Connector in Exchange to send email out via the Hexamail SMTP gateway

Configure your DMARC settings for your domain.

Setting up SPF

SPF is the Sender Policy Framework. This is one of the two mechanisms used by DMARC to help verify email from your domain.It is implemented just by creating a simple DNS record telling other domains which servers can legitimately send email with a From address containing your domain. You just need to know all the servers and other domains or mailservers that may need to send email using your domain email addresses.

Setting up DKIM

DKIM is DomainKeys Identified Mail and involves signing your outbound email with a special signature in the header that guarantees the message was sent thru your server and has not been tampered with or modified since leaving your server. This is the second mechanisms used by DMARC to help verify email is genuinely from your domain. The system uses encryption keys to sign and verify the email. Your private key is generated on your server and signs all outbound email and the public key is published as a DNS record through your DNS management console to allow others to verify your signed email.

Managing DKIM keys for your domain

Hexamail software (the secure module) includes a management interface to let you simply generate and manage your signing keys. You can have multiple different signing keys with various different parameters. This lets you test a key or have keys that expire after a certain time or use specific keys for specific email subdomains or email addresses.

Generating a DKIM key for your domain

You need at least one key setup to start using DMARC. The secure module also shows you how to create the DNS record you need to add through your DNS management console to allow others to access your public key for verifying your email.

Creating a DKIM ADSP record for your domain

ADSP is Author Domain Signing Practices. This has largely been replaced by DMARC now. The secure module also shows you how to create the DNS record you need to add through your DNS management console to allow others to access your public key for verifying your email.

Setting up DMARC

Next you need to create a DMARC DNS record instructing other domains how to verify email from your domain and what to do with spoofed or fraudulent email

Creating a DNS record for DMARC

The secure module also shows you how to create the DNS record you need to add through your DNS management console to allow others to perform DMARC processing on email from your domain.

Verifying your DMARC setup

Finally you should verify your DMARC setup. To do this send an email from your domain to one of the many DMARC verification services or to a gmail account. The verification services usually send a reply containing the DMARC, SPF and DKIM test results in details.